Contextual Alert of an Invasion of a Computer System

ABSTRACT

Methods, systems, and computer-readable media for providing contextual feedback to a user of a computer system upon detection of an invasion of the computer system are provided herein. An invasion of the computer system is detected and a contextually appropriate alert is selected from a set of alerts. The alert is played immediately upon detection of the invasion so that the user is alerted to the invasion within close temporal proximity to the user&#39;s action that resulted in the invasion of the computer system. In addition, details of the invasion are logged to a diagnostic log file for later use by support personnel in repairing the computer system.

CROSS-REFERENCE TO RELATED APPLICATIONS

This patent application is a continuation of and claims priority toco-pending U.S. patent application Ser. No. 12/239,861, entitled“Contextual Alert of an Invasion of a Computer System,” filed Sep. 29,2008, which is herein incorporated by reference in its entirety.

BACKGROUND

This application relates generally to the field of malware or virusdetection in personal computers. More specifically, the disclosureprovided herein relates to providing feedback upon the detection of aninvasion of a computer from a malware program.

Malware is a software program designed to invade or damage a computersystem without the user's consent. Malware may include computer viruses,trojan horses, worms, rootkits, spyware, adware, and any other softwarethat unexpectedly or without authorization invades a user's computer.Traditional malware protection software concentrates on the preventionof malware invasions by detecting the presence of a malware program andremoving the threat or warning the user before invasion of the computercan take place.

When a traditional malware protection system warns a user of a potentialinfection, the warning may often be obscure or contain technical termsand jargon unfamiliar to a layperson user. In addition, if thetraditional malware protection system detects and removes a threatbefore invasion, it also removes any user training effect in that theuser does not learn the potential consequences of certain actions theuser has performed. Further, because the tricks and mechanisms fordelivering a malware program to a computer are constantly changing andevolving, the detection of malware programs is complex and may yielderroneous results.

SUMMARY

It should be appreciated that this Summary is provided to introduce aselection of concepts in a simplified form that is further describedbelow in the Detailed Description. This Summary is not intended toidentify key features or essential features of the claimed subjectmatter, nor is it intended to be used to limit the scope of the claimedsubject matter.

Embodiments of the disclosure presented herein include methods, systems,and computer-readable media for providing contextual, audible feedbackto a user of a computer system upon detection of an invasion of thecomputer system. According to one aspect, a method is provided thatdetects the invasion of the computer system and selects a contextuallyappropriate alert tone from a set of alert tones. The alert tone isplayed through a speaker of the computer immediately upon detection ofthe invasion so that the user is alerted to the invasion within closetemporal proximity to the user's action that resulted in the invasion ofthe computer system. In addition, details of the invasion are logged toa diagnostic log file for later use by support personnel in repairingthe computer system.

In another aspect, a system for alerting a user of an invasion of acomputer system is provided. The system includes a number of alerttones, each of which is a digital recording approximating a naturalsound or utterance related to the context of a particular type orseverity of invasion of a computer system. The system also includes adetection module that detects the invasion of the computer system,selects the appropriate alert tone that matches the context of theinvasion, and immediately plays the alert tone on a speaker of thecomputer system.

In yet a further aspect, a computer-readable storage medium is providedthat contains executable instructions that cause the computer to alert auser of an unexpected or unauthorized change in a system configurationof the computer. Upon detection of the unexpected or unauthorizedchange, the computer selects an alert from a set of contextual alertsthat inherently convey to the user the type and severity of theunexpected or unauthorized change in the system configuration. The alertis then immediately played to the user and details regarding theunexpected or unauthorized change are logged to a diagnostic log file.

Other systems, methods, and/or computer program products according toembodiments will be or become apparent to one with skill in the art uponreview of the following drawings and detailed description. It isintended that all such additional systems, methods, and/or computerprogram products be included within this description, be within thescope of the present invention, and be protected by the accompanyingclaims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating an operating environment forproviding contextual, audible feedback to a user upon detection of aninvasion of a computer system, in accordance with exemplary embodiments.

FIG. 2 is a flow diagram illustrating one method for providingcontextual, audible feedback to the user upon detection of an invasionof the computer system, in accordance with exemplary embodiments.

FIG. 3 is a block diagram showing an illustrative computer hardware andsoftware architecture for a computing system capable of implementingaspects of the embodiments presented herein.

DETAILED DESCRIPTION

The following detailed description is directed to methods, systems, andcomputer-readable media for providing contextual, audible feedback to auser of a computer system upon detection of an invasion of the computersystem. Utilizing the technologies described herein, a contextuallyappropriate alert tone is played for the user immediately upon thedetection of an invasion of the computer system. An alert tone isselected that inherently provides natural feedback to the userindicating the type and severity of the invasion without requiring theuser to understand complex computer jargon or terminology. In addition,the immediate alert allows the user to be informed of the invasion inclose temporal proximity to the user's actions that may have caused orfacilitated the invasion, thus providing training for the user regardingthe consequences of the user's actions.

In the following detailed description, references are made to theaccompanying drawings that form a part hereof, and that show by way ofillustration specific embodiments or examples. In referring to thedrawings, it is to be understood that like numerals represent likeelements through the several figures, and that not all componentsdescribed and illustrated with reference to the figures are required forall embodiments.

Referring now to FIG. 1, an illustrative operating environment 100 andseveral software components for providing a contextual, audible alert ofan invasion of a computer system are shown, according to embodiments.The environment 100 includes a computer 102, which may be any type ofcomputer device, including, but not limited to, a desktop computer, alaptop, a notebook, an ultra-mobile personal computer (PC), a pocket PC,a personal digital assistant, or a smartphone. A user 104 may interactwith the computer 102 through a user-interface (UI) device, such as acomputer terminal 106. It will be appreciated that any number of UIdevices may be imagined, including, but not limited to, a mouse, akeyboard, a display, a trackball, a keypad, a stylus, or a touch-screenmonitor.

The user 104 may use the computer 102 to execute application programs108 that perform a number of functions, such as word processing, editingspreadsheets, reading email, and Web browsing. The application programs108 may depend on system files 110, data files 112, and configurationsettings 114 stored on the computer 102 in order to perform the desiredfunctions. The system files 110 may consist of shared libraries, such asdynamic link library (DLL) files or component object model (COM)components, that provide UI, network, file access, and other services tothe application programs 108. The data files 112 may include files thatcontain data specific to one of the application programs 108, such as adocument file used by a word processing application program. In somecases, the data files 112 may contain executable modules as well, suchas a spreadsheet file that contains macro code.

The configuration settings 114 provide the necessary information for thecomputer hardware, the operating system, and the application programs108 on the computer 102 to operate, and may include user preferencesettings that control how these components behave. For example, theconfiguration settings 114 may include a list of software programs thatare to be loaded when the computer 102 is started, the location andservices provided by the various system files 110, and associationsbetween types of the data files 112 and the corresponding applicationprograms 108. The configuration settings 114 may be stored in a centrallocation, such as the registry database in a computer, such as thecomputer 102, running the WINDOWS® operating system from MICROSOFTCORPORATION, in individual configuration files located throughout thecomputer 102, or some combination of the two.

According to embodiments, a malware program 116 may also execute on thecomputer 102. As described above, the malware program 116 is a programthat invades or infects a computer, such as the computer 102,unexpectedly or without authorization from the user 104. The malwareprogram 116 may be executing as the result of an action taken by theuser 104 of the computer 102. For example, the user 104 may have openedan attachment to an e-mail received on the computer 102, may have openeda spreadsheet file containing a macro program, or may have clicked alink on a webpage being viewed in a Web browser application executing onthe computer 102.

The intention of the malware program 116 may be to damage the computer102 in some way, by erasing the data files 112 on the computer 102, forexample; to collect private information from the computer, such as emailaddresses, bank account numbers, websites visited, etc.; or to cause thecomputer to serve as a platform for forwarding spam e-mail or launchingdenial-of-service attacks. Types of malware programs 116 include, butare not limited to, computer viruses, trojan horses, worms, rootkits,spyware, and adware.

The malware program 116 may invade and infect the computer 102 by makingmodifications to the system files 110, data files 112, or configurationsettings 114, in order for the malware program to perform its intendedfunction. For example, the malware program 116 may add itself to thelist of programs to execute when the computer 102 is started in theconfiguration settings 114, replace an oft used DLL in the system files110 with a copy containing the necessary instructions to load themalware program, or place a macro or other executable code in the datafiles 112 that causes the malware program to execute whenever one of thedata files is loaded by the associated application program 108. It willbe appreciated by one skilled in the art that many other forms ofmalware programs and invasions of a computer system may be imagined, andit is intended that all such forms be within the scope of the presentinvention.

In one embodiment, the computer 102 also includes an invasion detectorprogram 118 responsible for detecting the invasion of the computer 102by the malware program 116. The invasion detector program 118 may beloaded by the computer 102 upon startup and may run in the backgroundand continuously monitor the system files 110, data files 112,configuration settings 114, and other components of the computer todetect changes that indicate an invasion of the computer 102 by amalware program, such as the malware program 116. As will be describedbelow in more detail in regard to FIG. 2, when the invasion detectorprogram 118 detects an invasion of the computer 102, the invasiondetector program selects an appropriate alert tone from a set of alerttones 120 available on the computer 102 to play to the user 104,according to exemplary embodiments. The alert tone 120 is played througha speaker 122 connected to the computer 102. In addition, the invasiondetector program 118 may log the details of the invasion to a diagnosticlog file 124.

According to one embodiment, the alert tones 120 consist of a group ofdigital recordings or approximations of natural utterances that arecontextually related to a particular type or severity of invasion of acomputer. For example, one alert tone 120 may be a recording of apainful groan that would be played when an invasion of the computer 102resulted in execution of a malware program, such as the malware program116, which caused damage to the system files 110 or data files 112 onthe computer. Playing the groan to the user 104 upon the invasion of thecomputer 102 clearly indicates to the user that the computer had beeninfected and that serious damage has resulted.

Another alert tone 120 may consist of a recording of a person saying“Oops!” This alert tone 120 may be played when an invasion of thecomputer 102 is detected that is not as severe, for example, upon thedownload of a tracking cookie by a Web browser application. By providingnatural sounding alerts that are contextually related to the severityand type of invasion, the user 104 can be provided an immediatenotification of the context of the invasion that has taken place,without having to have an understanding of computer terms or jargon inorder to understand the complex messages displayed by traditionalmalware protection systems.

It will be appreciated that other types of sounds contextually relatedto the type and severity of an invasion may be played to the user 104,beyond the natural utterances described above. In a non-limitingexample, an air-raid siren may be played to the user 104 upon detectionof an invasion by a trojan horse program. It will further be appreciatedthat other forms of contextual alerts may be provided beyond the auralalert tones described herein. For example, upon invasion of the computer102 by a malware program, such as the malware program 116, whichdestroys the system files 110 and data files 112, the computer may emitfake smoke or an odor approximating the smell of an electrical short,providing immediate feedback to the user 104 that the computer has beenseverely damaged.

In one embodiment, the alert tones 120 may be provided with the computer102, such as when installed as part of the configuration by the computermanufacturer. This allows for support personnel to understand themeaning of each alert tone when diagnosing a computer problem. Forinstance, following the example provided above, if the user 104 contactssupport personnel for the computer 102 and complains that “My computersays ‘Oops’ every time I visit this website,” the support personnel willimmediately know that the website is placing unauthorized cookies on thecomputer.

In another embodiment, the user 104 may provide the alert tones 120. Theuser provided alert tones 120 may be a set of digital recordingspurchased and/or downloaded from the Internet, similar to ringtones forcell phone devices, or the alert tones may be recorded by the user 104in his or her own voice, or the voices of family members or friends. Forexample, the user 104 may record a set of the alert tones 120 consistingof the user's spouse chastising the user by name at different levels ofseverity, to be matched contextually with various levels of severity ofpotential invasions of the computer 102.

Referring now to FIG. 2, additional aspects regarding the operation ofthe components and software modules described above in regard to FIG. 1will be provided. It should be appreciated that the logical operationsdescribed herein are implemented (1) as a sequence of computerimplemented acts or program modules running on a computing system and/or(2) as interconnected machine logic circuits or circuit modules withinthe computing system. The implementation is a matter of choice dependenton the performance and other requirements of the computing system.Accordingly, the logical operations described herein are referred tovariously as operations, structural devices, acts, or modules. Theseoperations, structural devices, acts, and modules may be implemented insoftware, in firmware, in special purpose digital logic, and anycombination thereof.

It should also be appreciated that, while the operations are depicted inFIG. 2 as occurring in a sequence, various operations described hereinmay be performed by different components or modules at different times.In addition, more or fewer operations may be performed than shown, andthe operations may be performed in a different order than illustrated inFIG. 2.

FIG. 2 illustrates an exemplary routine 200 for providing contextual,audible feedback to a user, such as the user 104, upon detection of aninvasion of a computer system, such as the computer 102, in accordancewith embodiments. The routine 200 begins at operation 202, where theinvasion detector program 118 detects an unexpected and/or unauthorizedevent or events indicating an invasion of the computer 102 by a malwareprogram, such as the malware program 116. As described above, thedetected event may be a change in one or more of the system files 110,data files 112, configuration settings 114, or other components of thecomputer 102.

For example, the invasion detector program 118 may detect that themalware program 116 has added itself to the list of programs in theconfiguration settings 114 to execute when the computer 102 is started,or has replaced a system DLL in the system files 110 with a copycontaining malicious code. It will be appreciated that many additionalmethods known in the art may be utilized by the invasion detectorprogram 118 to detect an invasion of the computer, including, but notlimited to, detection of a process running at an unexpected securitylevel, detection of the loading of an un-signed executable or sharedlibrary file, or detection of a UI window being opened at coordinatesoutside of the visible area of the display.

Upon detection of the invasion of the computer 102, the routine 200proceeds from operation 202 to operation 204, where the invasiondetector program 118 selects the appropriate alert tone from the alerttones 120 to play to the user 104 in response to the invasion. Asdiscussed above, the appropriate alert tone 120 is selected based uponthe context of the invasion, according to embodiments. The context mayinclude the type of the invasion as well as the severity of theconsequences. The invasion detector program 118 may select a naturalutterance that symbolizes pain, such as a groan, grunt, or “Ugh” asappropriate feedback for a type of invasion that causes damage to thecomputer 102. Similarly, the invasion detector program 118 may select anatural utterance that reflects concern, such as “Uh-oh” or “Look out!”for a type of invasion that collects private information.

In addition, the invasion detector program 118 may consider the severityof the invasion in selecting the appropriate alert tone 120. For aninvasion that results in the collection of personal information to besent to a remote computer over the Internet, the invasion detectorprogram 118 may select an alert tone that relates the severe privacyramifications to the user 104, while an invasion that simply places atracking cookie in a web browser program cache may result in morepassive feedback, such as a sigh or “Oops!”

In a further embodiment, the invasion detector program 118 selects theappropriate alert tone 120 based upon user preferences on the computer102 as well. Different user preference settings may be available fordifferent users in the configuration settings 114 of the computer 102. Aparticular user 104 of the computer 102 may have downloaded or recordeda unique set of alert tones 120 from which the invasion detector program118 is to select the appropriate alert tone. In addition, different setsof alert tones 120 may be provided with the computer 102 that areappropriate for different classes of users. For example, the invasiondetector program 118 may select an alert tone of “Oh my!” in response toa particular type of invasion for an older generation user 104, but mayselect “Dude!” for the same type of invasion for a teenage user. It willbe appreciated that the selection of the appropriate alert tone toutilize as feedback may also be based on other characteristics of users,including, but not limited to, level of knowledge, native language, age,or cultural experience.

From operation 204, the routine 200 proceeds to operation 206, where theinvasion detector program 118 plays the selected alert tone 120 to theuser 104 through the speaker 122 connected to the computer 102.According to one embodiment, the invasion detector program 118 plays theselected alert tone 120 immediately upon detection of the invasion sothat the alert tone indicating the invasion is heard by the user 104within close temporal proximity to the user's action that may havecaused or facilitated the invasion. In this way, the contextual, audiblefeedback has a “training effect,” in that the user 104 may learn thetypes of actions that may cause an invasion of the computer 102 as wellas the potential consequences of similar such actions.

The routine 200 then proceeds from operation 206 to operation 208, wherethe invasion detector program 118 logs detailed information about theinvasion to the diagnostic log file 124. This information may includethe time and date that the invasion was detected, the event or eventsdetected that indicated the invasion, and any other data that will aidsupport personnel in repairing the computer 102. From operation 208, theroutine 200 ends.

FIG. 3 is a block diagram illustrating a computer system 300 configuredto provide contextual, audible feedback to a user upon detection of aninvasion of the computer system, in accordance with exemplaryembodiments. The computer system 300 may be utilized to implement thecomputer 102 described above in regard to FIG. 1. The computer system300 includes a processing unit 302, a memory 304, one or more userinterface devices 306, one or more input/output (“I/O”) devices 308, andone or more network interface controllers 310, each of which isoperatively connected to a system bus 312. The bus 312 enablesbi-directional communication between the processing unit 302, the memory304, the user interface devices 306, the I/O devices 308, and thenetwork interface controllers 310.

The processing unit 302 may be a standard central processor thatperforms arithmetic and logical operations, a more specific purposeprogrammable logic controller (“PLC”), a programmable gate array, orother type of processor known to those skilled in the art and suitablefor controlling the operation of the computer. Processing units arewell-known in the art, and therefore not described in further detailherein.

The memory 304 communicates with the processing unit 302 via the systembus 312. In one embodiment, the memory 304 is operatively connected to amemory controller (not shown) that enables communication with theprocessing unit 302 via the system bus 312. The memory 304 includes anoperating system 316 and one or more program modules 318, according toexemplary embodiments. Examples of operating systems, such as theoperating system 316, include, but are not limited to, WINDOWS®,WINDOWS® CE, and WINDOWS MOBILE® from MICROSOFT CORPORATION, LINUX,SYMBIAN™ from SYMBIAN SOFTWARE LTD., BREW® from QUALCOMM INCORPORATED,MAC OS® from APPLE INC., and FREEBSD operating system. Examples of theprogram modules 318 include the application programs 108, the malwareprogram 116, and the invasion detector program 118. In one embodiment,the program modules 318 are embodied in computer-readable mediacontaining instructions that, when executed by the processing unit 302,perform the routine 200 providing contextual, audible feedback to a userupon detection of an invasion of the computer system, as described ingreater detail above with respect to FIG. 2. According to furtherembodiments, the program modules 318 may be embodied in hardware,software, firmware, or any combination thereof.

By way of example, and not limitation, computer-readable media maycomprise computer storage media and communication media. Computerstorage media includes volatile and non-volatile, removable andnon-removable media implemented in any method or technology for storageof information such as computer-readable instructions, data structures,program modules, or other data. Computer storage media includes, but isnot limited to, RAM, ROM, Erasable Programmable ROM (“EPROM”),Electrically Erasable Programmable ROM (“EEPROM”), flash memory or othersolid state memory technology, CD-ROM, digital versatile disks (“DVD”),or other optical storage, magnetic cassettes, magnetic tape, magneticdisk storage or other magnetic storage devices, or any other mediumwhich can be used to store the desired information and which can beaccessed by the computer system 300.

The user interface devices 306 may include one or more devices withwhich a user accesses the computer system 300, such as the computerterminal 106. The user interface devices 306 may also include, but arenot limited to, computers, servers, personal digital assistants,cellular phones, or any suitable computing devices. The I/O devices 308enable a user to interface with the program modules 318. In oneembodiment, the I/O devices 308 are operatively connected to an I/Ocontroller (not shown) that enables communication with the processingunit 302 via the system bus 312. The I/O devices 308 may include one ormore input devices, such as, but not limited to, a keyboard, a mouse, oran electronic stylus. Further, the I/O devices 308 may include one ormore output devices, such as, but not limited to, the speaker 122, adisplay screen or a printer.

The network interface controllers 310 enable the computer system 300 tocommunicate with other networks or remote systems via a network 314.Examples of the network interface controllers 310 may include, but arenot limited to, a modem, a radio frequency (“RF”) or infrared (“IR”)transceiver, a telephonic interface, a bridge, a router, or a networkcard. The network 314 may include a wireless network such as, but notlimited to, a Wireless Local Area Network (“WLAN”) such as a WI-FInetwork, a Wireless Wide Area Network (“WWAN”), a Wireless Personal AreaNetwork (“WPAN”) such as BLUETOOTH, a Wireless Metropolitan Area Network(“WMAN”) such a WiMAX network, or a cellular network. Alternatively, thenetwork 314 may be a wired network such as, but not limited to, a WideArea Network (“WAN”) such as the Internet, a Local Area Network (“LAN”)such as the Ethernet, a wired Personal Area Network (“PAN”), or a wiredMetropolitan Area Network (“MAN”).

Although the subject matter presented herein has been described inconjunction with one or more particular embodiments and implementations,it is to be understood that the embodiments defined in the appendedclaims are not necessarily limited to the specific structure,configuration, or functionality described herein. Rather, the specificstructure, configuration, and functionality are disclosed as exampleforms of implementing the claims.

The subject matter described above is provided by way of illustrationonly and should not be construed as limiting. Various modifications andchanges may be made to the subject matter described herein withoutfollowing the example embodiments and applications illustrated anddescribed, and without departing from the true spirit and scope of theembodiments, which is set forth in the following claims.

1. A method for providing a contextual feedback of an invasion of acomputer system, comprising: detecting, by an invasion detector programexecuting in the computer system, the invasion of the computer system;selecting, by the invasion detector program, a contextual alert from aplurality of contextual alerts stored on the computer system based on acontext of the invasion; playing the contextual alert to a user of thecomputer system to alert of the invasion; and logging informationregarding the context of the invasion to a log file.
 2. The method ofclaim 1, wherein the contextual alert comprises a digital recordingapproximating a natural utterance related to the context of theinvasion.
 3. The method of claim 1, wherein the contextual alertcomprises an emission of fake smoke from the computer.
 4. The method ofclaim 1, wherein the contextual alert comprises an emission of an odorapproximating a smell of an electrical short circuit.
 5. The method ofclaim 1, wherein the context of the invasion comprises a type of theinvasion and a severity of the invasion.
 6. The method of claim 1,wherein the selection of the contextual alert is further based upon userpreferences of the computer system.
 7. The method of claim 1, whereindetecting the invasion of the computer system comprises detecting achange to one of a program file, a data file, or a configuration settingof the computer system.
 8. A system for providing contextual feedback ofan invasion of a computer system, comprising: a processing unit; amemory operatively connected to the processing unit; and an invasiondetector program stored in the memory and configured to cause theprocessing unit to perform operations comprising detecting the invasionof the computer system, selecting a contextual alert from a plurality ofcontextual alerts stored on the computer system based on the context ofthe invasion, and playing the contextual alert to alert of the invasion,wherein each of the plurality of contextual alerts comprises acontextual response that inherently relates to a user a context of aninvasion of the computer system.
 9. The system of claim 8, wherein thecontextual alert comprises a digital recording approximating a naturalutterance related to the context of the invasion.
 10. The system ofclaim 8, wherein the contextual alert comprises an emission of fakesmoke from the computer.
 11. The system of claim 8, wherein thecontextual alert comprises an emission of an odor approximating a smellof an electrical short circuit.
 12. The system of claim 8, wherein thecontext of the invasion comprises a type of the invasion and a severityof the invasion.
 13. The system of claim 8, wherein the selection of thecontextual alert is further based upon user preferences of the computersystem.
 14. The system of claim 8, wherein detecting the invasion of thecomputer system comprises detecting a change to one of a program file, adata file, or a configuration setting of the computer system.
 15. Thesystem of claim 8, wherein the invasion detector program is furtheroperative to log information regarding the context of the invasion to alog file.
 16. A computer readable storage device having computerexecutable instructions stored thereon that, when executed by acomputer, cause the computer to perform operations comprising: detectinga change in a system configuration of the computer; selecting acontextual alert from a plurality of contextual alerts stored on thecomputer based on a type and a severity of the change in the systemconfiguration, each of the plurality of contextual alerts representing acontextual response that inherently indicates to a user the type and theseverity of changes in the system configuration; playing the contextualalert to alert of the change in the system configuration; and logginginformation regarding the change in the system configuration to a logfile.
 17. The computer readable storage device of claim 16, wherein theselection of the contextual alert is further based upon user preferencesstored on the computer.
 18. The computer readable storage device ofclaim 16, wherein one of the plurality of contextual alerts comprises adigital recording approximating a natural utterance contextually relatedto the type and the severity of the change in the system configurationof the computer.
 19. The computer readable storage device of claim 16,wherein one of the plurality of contextual alerts comprises an emissionof fake smoke from the computer.
 20. The computer readable storagedevice of claim 16, wherein one of the plurality of contextual alertscomprises an emission of an odor approximating a smell of an electricalshort circuit.